Re: NAT not routing - I know it's me...

dsegrove · ‎11-06-2001

Good afternoon from sunny AZ.

I'm not an expert at configuring routers, but I've done bits and pieces over the years. However, I am having a heck of a time with a new Cisco 1720 (with IOS firewall installed). I believe the problem is in the ACLs and I was wondering if someone out there would mind taking a look at this.

Basically, I've got a Serial connection to the ISP call it A.A.A.174, subnet 255.255.255.252

They've assigned me an IP address pool B.B.B.16 - B.B.B.23, subnet 255.255.255.248.

The ethernet port is connected to my LAN at 192.168.7.1, subnet 255.255.255.0.

So far so good.

I have NAT configured for some people wanting to browse the web and for incoming SMTP and HTTP traffic. I can ping until the cows come home, but I cannot access either my web or mail box from outside the router. I can ping them both from the router. It's driving me nuts. Any suggestions (helpful) would be very much appreciated. Anyone who can help me get this working, I shall be eternally grateful too and will be happy to reward somehow.

The web server and mail server are on another network, 192.168.3.0.

When I show nat stats, it appears to be okay, but if I do a debug and show log, I get nothing from NAT.

I apologize if this is really obvious.

Here's my configuration (IP addresses altered) :

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

!

ip subnet-zero

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

interface FastEthernet0/0

ip address 192.168.7.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

description cccccccc

ip address A.A.A.174 255.255.255.252

no ip redirects

ip nat outside

!

ip nat pool natpool B.B.B.20 B.B.B.23 netmask 255.255.255.248

ip nat inside source list 5 pool natpool

ip nat inside source static 192.168.3.29 B.B.B.19

ip nat inside source static 192.168.3.200 B.B.B.28

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 192.168.3.0 255.255.255.0 192.168.7.3

no ip http server

!

access-list 5 permit 192.168.3.0 0.0.0.255

access-list 5 permit 192.168.7.0 0.0.0.255

!

end

dsegrove · ‎11-06-2001

ip nat inside source static 192.168.3.200 B.B.B.28 should read : ip nat inside source static 192.168.3.200 B.B.B.18

snoop-09 · ‎11-06-2001

Your configuration looks good to me. I can only come up with one small detail that may solve your problem: add the following two lines to the beginning of your access-list.

access-list 5 deny 192.168.3.29 0.0.0.0

access-list 5 deny 192.168.3.200 0.0.0.0

This will prevent these two addresses from using the NAT pool. I have my doubts whether this is your problem, especially considering you can ping the two devices. But it's always worth a try.

dsegrove · ‎11-06-2001

Thanks snoop. Could internal routing be an issue?

Dave

pmoulay · ‎11-26-2001

Couple things to might want to change:

1) your default route: instead of pointing to your serial interface - point to the next hop router interface (aka an ip address for the next hop or default gateway)

2) remove the dynamic pool and configure overload on the serial interface (aka ip nat source interface whatever overload) and see if it works). Maybe the range of addresses given by your ISP are incorrect. I do have a similar configuration on my 3660.