Solved: Re: Cannot access internal server from the outside

n0idnixny · ‎09-20-2010

Hi, I'm trying to NAT connections coming from the Serial1/0 interface to the GigabitEthernet0/1 and it's not working. Maybe there's something wrong with my config?

Cisco 3825 Router IOS Version 12.4(13r)T11

here's my current config:

ip nat pool PORTFWD 172.16.10.1 172.16.10.1 netmask 255.255.255.0 type rotary
ip nat inside source list 10 interface Serial1/0 overload
ip nat inside destination list 100 pool PORTFWD
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
access-list 100 permit tcp any any range uucp 550

172.16.10.1 is GigabitEthernet0/1's IP address I tried already mapping it to 172.16.10.5 which is the actual server I'm trying to reach. When I telnet the 172.16.10.5 from the cisco router to the port I want to get into (ie. ftp/AFP) it goes in, so it is reachable.

Serial1/0 has ip nat outside

GigabitEthernet0/1 has ip nat inside

am I doing something wrong? (d'oh)

Thanks in advance.

Ron

Jon Marshall · ‎09-22-2010

n0idnixny wrote:

Richard

so is this line necessary?

ip nat inside source list 101 interface Serial1/0 overload

because I added that line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online) to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?

Thanks in advance.

Ron

No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.

You do need this line so all your internal clients can access the internet -

ip nat inside source list 101 interface Serial1/0 overload

Can you -

1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload

2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.

router# sh ip nat translations | include 172.16.10.5

and post the result.

I'm assuming you are connecting from a device on the outside of the router ?

Jon

View solution in original post

Jennifer Halim · ‎09-20-2010

If I understand you correctly, you would like to configure port address redirection NAT for traffic coming towards the Serial1/0 interface ip address towards a server with ip address of 172.16.10.5.

If the above statement is correct, your current configuration is incorrect as you can't port forward from serial1/0 to gig0/1 then to the actual server. This is not a supported configuration.

Here is an example of what you can configure:

ip nat inside source static tcp 172.16.10.5 550 interface serial1/0 550

Hope that helps.

n0idnixny · ‎09-20-2010

Yes you understand correctly.

jsut that one line?

I don't need any nat pools or anything like that?

I will try the configuration when I get my hands on the router. Thanks for taking the time to, and for the the fast, reply.

Will let you know as soon as I try it!

Thanks again!

Jennifer Halim · ‎09-20-2010

Yes, just that one line and the example i provided is to redirect TCP port 550. You can add or change the port accordingly. Let us know how it goes.

Thanks.

n0idnixny · ‎09-21-2010

I still get connection refused.

Here's what I currently have. Do I need to have an acl for everyone that comes from the outside?

!

ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 10 interface Serial1/0 overload
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
no cdp run

!

Do you need me to post interface configs?

Thanks in advance.

Ron

Jennifer Halim · ‎09-21-2010

Can you also remove the following: access-list 10 permit 0.0.0.0 0.0.0.255

Also, if you have ACL applied to the serial1/0 interface, you would need to allow everyone to access that interface on port 548.

n0idnixny · ‎09-22-2010

I removed the access-list 10 permit 0.0.0.0 0.0.0.255 as requested.

I tried applying this acl and it wouldn't let me?

access-list 10 permit tcp any host IP.of-serial1 eq 548
Translating "tcp"...domain server (198.6.1.4) [OK]
^

% Invalid input detected at '^' marker.

should I just apply an access group? I applied this but I still get connection refused.

interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address WAN-IP-Address 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
no cdp enable

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 WAN's-gateway-IP
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548
no cdp run
!
!
control-plane
!

Edit: Thanks again for helping.

Richard Burts · ‎09-22-2010

Ron

I am not so clear about the bigger problem with address translation but it is clear what is the problem with the access list that you attempted. Access list 10 is a standard access list which allows you to define a single address. To define a source and destination address and to define tcp ports you need to use an extended access list.

HTH

Rick

HTH

Rick

n0idnixny · ‎09-22-2010

Hi Richard.

What are the steps to do an extended list for source and destination for what I want to do?

Thanks in advance.

Ron

Richard Burts · ‎09-22-2010

Ron

I am very puzzled by this question since you have an extended access list configured in your previous post

access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548

I would also point out that with the permit ip any any as the first line that the second line is redundant and not used.

HTH

Rick

HTH

Rick

n0idnixny · ‎09-22-2010

Richard.

If I take the access-list 101 permit ip any any everyone loses internet connectivity.

Edit: everyone inside the LAN loses internet connectivity.

Ron

Jon Marshall · ‎09-22-2010

n0idnixny wrote:

Richard.

If I take the access-list 101 permit ip any any everyone loses internet connectivity.

Edit: everyone inside the LAN loses internet connectivity.

Ron

Perhaps a recap is in order.

What do you mean by "if i take the access-list ..." in the sentence above ? Take it off the interface maybe ?

It would be helpful if you could post your current working config again as well.

Jon

n0idnixny · ‎09-22-2010

Hi Jon.

The subnet 172.16.10.0 uses the internet from the Serial interface and last time I took out access-list 101 permit up any any, I lost internet connectivity and so did everyone here. All I'm trying to do is forward incoming connections from the outside through port 548 (afp) to the server on 172.16.10.5. is there anything wrong in the config? (obviously there is)

Here's what I have currently running:

Current configuration : 3608 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname droga5fibre
!
boot-start-marker
boot-end-marker
!
!card type command needed for slot 1
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 198.6.1.4
ip name-server 198.6.1.122
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
controller T3 1/0
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly
duplex full
speed 100
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address Serial-IP 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
1 no cdp enable
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial-Route
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial-IP eq 548
no cdp run
!
!
control-plane
!

line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end

Thanks in advance.

Ron

Jon Marshall · ‎09-22-2010

Ron

I agree with Rick, remove the acl 101 as "permit ip any any" allows all traffic to come in anyway. You may want to add one later to restrict traffic but you don't need it now.

As for the rest of the config, how are you connecting to the server from outside ? You need to connect using the serial IP and not the real address.

Jon

n0idnixny · ‎09-22-2010

Jon

I am using the Serial's IP Address to connect from the outside.

Richard.

BTW you are right, I didn't have an access-group on the serial interface but I did have an access-list to forward internet for the rest of the subnet as I said before