02-19-2010 09:36 AM
Hi I have configured the sr520 using cca.
Basically I have a device connected to the sr 520 via wireless with the ip address 192.168.200.160.
The SR connects to the internet using adsl and pppoe.
I configured NAT to the device for a number of ports, however it doesnt work.
I have attached an extract from the config, any ideas what I an doing wrong
Solved! Go to Solution.
02-23-2010 02:50 PM
02-19-2010 11:58 AM
What version of CCA are you using to do this?
02-20-2010 09:07 AM
cca version 2.2(1)
02-19-2010 02:11 PM
Also could you tell what version of IOS you are running?
Can you also provide the following?
config t
term len 0
exit
show policy-map type inspect zone-pair sdm-zp-out-in
02-20-2010 09:17 AM
02-22-2010 12:47 PM
Could you run that same show command right after you try to connect to the web server for instance? Also, you could run a sniffer on the web server to see if the traffic is getting to you, but not getting back out. I have a few theories about why this isn't working, but would like some confirmation to what you are running into.
02-23-2010 02:50 PM
02-24-2010 08:54 AM
see below
LOUGH-520-R1(config-pmap)#class type SDM-inspect-staticnat-in
LOUGH-520-R1(config-pmap-c)#inspect
%Pass action is already configured. Please remove pass action to configure inspect action
LOUGH-520-R1(config-pmap-c)#no pass
LOUGH-520-R1(config-pmap-c)#no pass
LOUGH-520-R1(config-pmap-c)#in
LOUGH-520-R1(config-pmap-c)#inspect
%No specific protocol configured in class SDM-inspect-staticnat-in for inspection. All protocols will be inspected
LOUGH-520-R1(config-pmap-c)#
02-24-2010 08:56 AM
Could you post a show run for this section? Also, could you show try passing the traffic?
02-26-2010 02:57 AM
02-26-2010 07:05 AM
Coming into this late ...
Is outgoing fine, just incoming to the specific device on the required ports is not working?
02-26-2010 07:10 AM
The config looks correct now. Is it still not passing traffic?
02-26-2010 07:36 AM
The issue is Nat from the internet to the inside.
If you vpn to the router and test www to the inside IP (192.168.200.160) I get a webpage so I know the host is running port 80.
From the internet I get nothing.
John
02-26-2010 11:15 AM
Not sure if I am chasing a wild goose here ... but should this be changed?
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
Change to a match-any:
class-map type inspect match-any SDM-inspect-staticnat-in
match access-group name staticnat
If you do make this change, then you would want to modify the policy map back to pass instead of inspect. You modified this earlier ...
Have you considered calling TAC as well? The FE and ADSL model is supported by Cisco TAC. I would be interested to hear what they have to say ...
Do please provide an update when you can. Kindest regards
Andrew Lissitz
02-26-2010 11:34 AM
I don't believe the match-any will change anything. Match all means match every line below, see the areas where it says match X acl and match protocol http. In this case, it must pass the ACl and must be http traffic. With match all and one line, it is essentially the same thing as match any. Traffic should be matching that ACL.
Can you provide a terminal output when you try to access the web server?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide