Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sr520 nat issue

Hi I have configured the sr520 using cca.

Basically I have a device connected to the sr 520 via wireless with the ip address 192.168.200.160.

The SR connects to the internet using adsl and pppoe.

I configured NAT to the device for a number of ports, however it doesnt work.

I have attached an extract from the config, any ideas what I an doing wrong

1 ACCEPTED SOLUTION

Accepted Solutions

Re: sr520 nat issue

Instead of....
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   pass
Could you do
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   inspect
I think that will fix the issue.


16 REPLIES

Re: sr520 nat issue

What version of CCA are you using to do this?

New Member

Re: sr520 nat issue

cca version 2.2(1)

Re: sr520 nat issue

Also could you tell what version of IOS you are running?

Can you also provide the following?

config t

term len 0

exit

show policy-map type inspect zone-pair sdm-zp-out-in

(will be a long output)
New Member

Re: sr520 nat issue

see attached

IOS version 12.4(24)T2

Re: sr520 nat issue

Could you run that same show command right after you try to connect to the web server for instance?  Also, you could run a sniffer on the web server to see if the traffic is getting to you, but not getting back out.  I have a few theories about why this isn't working, but would like some confirmation to what you are running into.

Re: sr520 nat issue

Instead of....
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   pass
Could you do
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   inspect
I think that will fix the issue.


New Member

Re: sr520 nat issue

see below

LOUGH-520-R1(config-pmap)#class type SDM-inspect-staticnat-in

LOUGH-520-R1(config-pmap-c)#inspect

%Pass action is already configured. Please remove pass action to configure inspect action

LOUGH-520-R1(config-pmap-c)#no pass

LOUGH-520-R1(config-pmap-c)#no pass

LOUGH-520-R1(config-pmap-c)#in

LOUGH-520-R1(config-pmap-c)#inspect

%No specific protocol configured in class SDM-inspect-staticnat-in for inspection. All protocols will be inspected

LOUGH-520-R1(config-pmap-c)#

Re: sr520 nat issue

Could you post a show run for this section?  Also, could you show try passing the traffic?

New Member

Re: sr520 nat issue

sorry about the delay please find info attached

Bronze

Re: sr520 nat issue

Coming into this late ...

Is outgoing fine, just incoming to the specific device on the required ports is not working?

Re: sr520 nat issue

The config looks correct now.  Is it still not passing traffic?

New Member

Re: sr520 nat issue

The issue is Nat from the internet to the inside.

If you vpn to the router and test www to the inside IP (192.168.200.160) I get a webpage so I know the host is running port 80.

From the internet I get nothing.

John

Bronze

Re: sr520 nat issue

Not sure if I am chasing a wild goose here ... but should this be changed?

class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat

Change to a match-any:

class-map type inspect match-any SDM-inspect-staticnat-in
match access-group name staticnat

If you do make this change, then you would want to modify the policy map back to pass instead of inspect. You modified this earlier ...

Have you considered calling TAC as well?  The FE and ADSL model is supported by Cisco TAC.  I would be interested to hear what they have to say  ...


Do please provide an update when you can.  Kindest regards


Andrew Lissitz

Re: sr520 nat issue

I don't believe the match-any will change anything.  Match all means match every line below, see the areas where it says match X acl and match protocol http.  In this case, it must pass the ACl and must be http traffic.  With match all and one line, it is essentially the same thing as match any.  Traffic should be matching that ACL.

Can you provide a terminal output when you try to access the web server?

New Member

Re: sr520 nat issue

Hi

My issue is resolved.

I noticed some funnies!!

I had to clear the PPPOE session for it to work.

I also noticed everytime you add another NAT I need to remove "pass" and put in "inspect".

Also one of the reasons I took so long getting back to you is CCA doesnt play nice with DDNS.

Sometimes it seems to create a new dialer, looks like it only partially configures DDNS. "ip ddns update hostname" was missing.

New Member

Re: sr520 nat issue

I found this out too. I used the dynamicDNS UC520 document to help me figure this out.

I wish the CCA would have a more complete GUI to setup and test the DDNS system on the SR520.

1779
Views
0
Helpful
16
Replies