Solved: sr520 nat issue

johnroche_2 · ‎02-19-2010

Hi I have configured the sr520 using cca.

Basically I have a device connected to the sr 520 via wireless with the ip address 192.168.200.160.

The SR connects to the internet using adsl and pppoe.

I configured NAT to the device for a number of ports, however it doesnt work.

I have attached an extract from the config, any ideas what I an doing wrong

Steven Smith · ‎02-23-2010

Instead of....

policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass

Could you do

policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
inspect

I think that will fix the issue.

View solution in original post

Steven Smith · ‎02-19-2010

What version of CCA are you using to do this?

johnroche_2 · ‎02-20-2010

cca version 2.2(1)

Steven Smith · ‎02-19-2010

Also could you tell what version of IOS you are running?

Can you also provide the following?

config t

term len 0

exit

show policy-map type inspect zone-pair sdm-zp-out-in

(will be a long output)

johnroche_2 · ‎02-20-2010

see attached

IOS version 12.4(24)T2

Steven Smith · ‎02-22-2010

Could you run that same show command right after you try to connect to the web server for instance? Also, you could run a sniffer on the web server to see if the traffic is getting to you, but not getting back out. I have a few theories about why this isn't working, but would like some confirmation to what you are running into.

Steven Smith · ‎02-23-2010

Instead of....

policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass

Could you do

policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
inspect

I think that will fix the issue.

johnroche_2 · ‎02-24-2010

see below

LOUGH-520-R1(config-pmap)#class type SDM-inspect-staticnat-in

LOUGH-520-R1(config-pmap-c)#inspect

%Pass action is already configured. Please remove pass action to configure inspect action

LOUGH-520-R1(config-pmap-c)#no pass

LOUGH-520-R1(config-pmap-c)#in

LOUGH-520-R1(config-pmap-c)#inspect

%No specific protocol configured in class SDM-inspect-staticnat-in for inspection. All protocols will be inspected

LOUGH-520-R1(config-pmap-c)#

Steven Smith · ‎02-24-2010

Could you post a show run for this section? Also, could you show try passing the traffic?

johnroche_2 · ‎02-26-2010

sorry about the delay please find info attached

alissitz · ‎02-26-2010

Coming into this late ...

Is outgoing fine, just incoming to the specific device on the required ports is not working?

Steven Smith · ‎02-26-2010

The config looks correct now. Is it still not passing traffic?

johnroche_2 · ‎02-26-2010

The issue is Nat from the internet to the inside.

If you vpn to the router and test www to the inside IP (192.168.200.160) I get a webpage so I know the host is running port 80.

From the internet I get nothing.

John

alissitz · ‎02-26-2010

Not sure if I am chasing a wild goose here ... but should this be changed?

class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat

Change to a match-any:

class-map type inspect match-any SDM-inspect-staticnat-in
match access-group name staticnat

If you do make this change, then you would want to modify the policy map back to pass instead of inspect. You modified this earlier ...

Have you considered calling TAC as well? The FE and ADSL model is supported by Cisco TAC. I would be interested to hear what they have to say ...

Do please provide an update when you can. Kindest regards

Andrew Lissitz

Steven Smith · ‎02-26-2010

I don't believe the match-any will change anything. Match all means match every line below, see the areas where it says match X acl and match protocol http. In this case, it must pass the ACl and must be http traffic. With match all and one line, it is essentially the same thing as match any. Traffic should be matching that ACL.

Can you provide a terminal output when you try to access the web server?