Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot access internal server from the outside

Hi, I'm trying to NAT connections coming from the Serial1/0 interface to the GigabitEthernet0/1 and it's not working. Maybe there's something wrong with my config?

Cisco 3825 Router IOS Version 12.4(13r)T11

here's my current config:

ip nat pool PORTFWD 172.16.10.1 172.16.10.1 netmask 255.255.255.0 type rotary
ip nat inside source list 10 interface Serial1/0 overload
ip nat inside destination list 100 pool PORTFWD
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
access-list 100 permit tcp any any range uucp 550

172.16.10.1 is GigabitEthernet0/1's IP address I tried already mapping it to 172.16.10.5 which is the actual server I'm trying to reach. When I telnet the 172.16.10.5 from the cisco router to the port I want to get into (ie. ftp/AFP) it goes in, so it is reachable.

Serial1/0 has ip nat outside

GigabitEthernet0/1 has ip nat inside

am I doing something wrong? (d'oh)

Thanks in advance.

Ron

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Cannot access internal server from the outside

n0idnixny wrote:

Richard

so is this line necessary?

ip nat inside source list 101 interface Serial1/0 overload

because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?

Thanks in advance.

Ron

Ron

No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.

You do need this line so all your internal clients can access the internet -

ip nat inside source list 101 interface Serial1/0 overload

Can you -

1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload

2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.

router# sh ip nat translations | include 172.16.10.5

and post the result.

I'm assuming you are connecting from a device on the outside of the router ?

Jon

21 REPLIES
Super Bronze

Re: Cannot access internal server from the outside

If I understand you correctly, you would like to configure port address redirection NAT for traffic coming towards the Serial1/0 interface ip address towards a server with ip address of 172.16.10.5.

If the above statement is correct, your current configuration is incorrect as you can't port forward from serial1/0 to gig0/1 then to the actual server. This is not a supported configuration.

Here is an example of what you can configure:

ip nat inside source static tcp 172.16.10.5 550 interface serial1/0 550

Hope that helps.

New Member

Re: Cannot access internal server from the outside

Yes you understand correctly.

jsut that one line?

I don't need any nat pools or anything like that?

I will try the configuration when I get my hands on the router. Thanks for taking the time to, and for the the fast, reply.

Will let you know as soon as I try it!

Thanks again!

Super Bronze

Re: Cannot access internal server from the outside

Yes, just that one line and the example i provided is to redirect TCP port 550. You can add or change the port accordingly. Let us know how it goes.

Thanks.

New Member

Re: Cannot access internal server from the outside

I still get connection refused.

Here's what I currently have. Do I need to have an acl for everyone that comes from the outside?

!

ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 10 interface Serial1/0 overload
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
no cdp run

!

Do you need me to post interface configs?

Thanks in advance.

Ron

Super Bronze

Re: Cannot access internal server from the outside

Can you also remove the following: access-list 10 permit 0.0.0.0 0.0.0.255

Also, if you have ACL applied to the serial1/0 interface, you would need to allow everyone to access that interface on port 548.

New Member

Re: Cannot access internal server from the outside

I removed the access-list 10 permit 0.0.0.0 0.0.0.255 as requested.

I tried applying this acl and it wouldn't let me?

access-list 10 permit tcp any host IP.of-serial1 eq 548
Translating "tcp"...domain server (198.6.1.4) [OK]
                                              ^

% Invalid input detected at '^' marker.

should I just apply an access group? I applied this but I still get connection refused.

interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address WAN-IP-Address 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
no cdp enable

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 WAN's-gateway-IP
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548
no cdp run
!
!
control-plane
!

Edit: Thanks again for helping.

Hall of Fame Super Silver

Re: Cannot access internal server from the outside

Ron

I am not so clear about the bigger problem with address translation but it is clear what is the problem with the access list that you attempted. Access list 10 is a standard access list which allows you to define a single address. To define a source and destination address and to define tcp ports you need to use an extended access list.

HTH

Rick

New Member

Re: Cannot access internal server from the outside

Hi Richard.

What are the steps to do an extended list for source and destination for what I want to do?

Thanks in advance.

Ron

Hall of Fame Super Silver

Re: Cannot access internal server from the outside

Ron

I am very puzzled by this question since you have an extended access list configured in your previous post

access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548

I would also point out that with the permit ip any any as the first line that the second line is redundant and not used.

HTH

Rick

New Member

Re: Cannot access internal server from the outside

Richard.

If I take the access-list 101 permit ip any any everyone loses internet connectivity.

Edit: everyone inside the LAN loses internet connectivity.

Ron

Hall of Fame Super Blue

Re: Cannot access internal server from the outside

n0idnixny wrote:

Richard.

If I take the access-list 101 permit ip any any everyone loses internet connectivity.

Edit: everyone inside the LAN loses internet connectivity.

Ron

Ron

Perhaps a recap is in order.

What do you mean by "if i take the access-list ..." in the sentence above ? Take it off the interface maybe ?

It would be helpful if you could post your current working config again as well.

Jon

New Member

Re: Cannot access internal server from the outside

Hi Jon.

The subnet 172.16.10.0 uses the internet from the Serial interface and  last time I took out access-list 101 permit up any any, I lost internet  connectivity and so did everyone here. All I'm trying to do is forward  incoming connections from the outside through port 548 (afp) to the  server on 172.16.10.5. is there anything wrong in the config? (obviously  there is)

Here's what I have currently running:

Current configuration : 3608 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname droga5fibre
!
boot-start-marker
boot-end-marker
!
!card type command needed for slot 1
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 198.6.1.4
ip name-server 198.6.1.122
multilink bundle-name authenticated
!
!
!
archive
log config
  hidekeys
!
!
controller T3 1/0
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly
duplex full
speed 100
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address Serial-IP 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
1 no cdp enable
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial-Route
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial-IP eq 548
no cdp run
!
!
control-plane
!

line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end

Thanks in advance.

Ron

Hall of Fame Super Blue

Re: Cannot access internal server from the outside

Ron

I agree with Rick, remove the acl 101 as "permit ip any any" allows all traffic to come in anyway. You may want to add one later to restrict traffic but you don't need it now.

As for the rest of the config, how are you connecting to the server from outside ? You need to connect using the serial IP and not the real address.

Jon

New Member

Re: Cannot access internal server from the outside

Jon

I am using the Serial's IP Address to connect from the outside.

Richard.

BTW you are right, I didn't have an access-group on the serial interface but I did have an access-list to forward internet for the rest of the subnet as I said before

Hall of Fame Super Silver

Re: Cannot access internal server from the outside

Ron

Given what you have posted it is expected behavior that if you remove the permit ip any any from the access list and leave the other entry that everyone on the LAN would lose Internet connectivity.

I suggest that we take a step back and look at this question from a slightly different perspective. The original question was about the need to do a static translation in addition to dynamic translations. And then the observation was made that if you have an access list filtering traffic on the serial interface that it should permit this traffic. And everyone started assuming that you had an access list (and access group on the interface). Based on what has been in this thread I am guessing that you did not have an access list until we suggested it. And based on what is posted to be in the access list I am going to suggest that you do not need an access list filtering traffic on the serial interface.

The real question of whether you should have an access list (and access group on the interface) requires knowledge of your environment and of your requirements that goes far beyond what is included in this thread. But based on what is in this thread I suggest that you remove the access list, remove the access group from the serial interface and focus on whether the translation is working. If the translation works then it is great. If the translation does not work then you will know that the problem is not the access list.

HTH

Rick

New Member

Re: Cannot access internal server from the outside

Richard

so is this line necessary?

ip nat inside source list 101 interface Serial1/0 overload

because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?

Thanks in advance.

Ron

Hall of Fame Super Blue

Re: Cannot access internal server from the outside

n0idnixny wrote:

Richard

so is this line necessary?

ip nat inside source list 101 interface Serial1/0 overload

because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?

Thanks in advance.

Ron

Ron

No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.

You do need this line so all your internal clients can access the internet -

ip nat inside source list 101 interface Serial1/0 overload

Can you -

1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload

2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.

router# sh ip nat translations | include 172.16.10.5

and post the result.

I'm assuming you are connecting from a device on the outside of the router ?

Jon

New Member

Re: Cannot access internal server from the outside

wow I feel a little retarded, as I was trying to telnet the port from the same line no wonder I was getting connection refused.

sorry

I tried from a different line we have here @ the office and it works!!!

Thanks guys for your help! Jon, Richard, Halijenn for the fast replies.

I will take care of those ACL's and remove the access-group from the interface as well.

Thanks again for your kind help guys. I really appreciate it.

Ron

New Member

Re: Cannot access internal server from the outside

In other words, 172.16.10.0 subnet(GigabitEthernet0/1) needs internet connectivity from the Serial Interface and tcp port 548 needs to be forwarded to address 172.16.10.5.

Maybe there is a better way to configure this scenario from what I already have?

I appreciate the help and time.

Thanks in advance.

Hall of Fame Super Silver

Re: Cannot access internal server from the outside

Ron

I am glad to know that my understanding was correct that you did not originally have an access list applied to the serial interface. And part of the solution is to remove the access-group from the serial interface but not necessarily to remove access list 101.

When I had been talking about access list 101 I was thinking of it in terms of how you had applied it to the serial interface (using access-group) and I missed the fact that you also use that access list in your nat statement. You still need some access list in your nat statement and do not need an access list (or access-group) on the serial interface.

While I believe that you need an access list for nat I am not sure that this version of access list 101 is the optimum choice. I do not remember the details but I think that I remember reading that using permit any any in nat could cause some problems. I would suggest that you configure an access list like this

acces-list 10 permit 172.16.10.0 0.0.0.255

and use access list 10 in your nat statement rather than using access list 101.

HTH

Rick

New Member

Re: Cannot access internal server from the outside

Thanks again Richard for your help!

Next time, instead of hitting myself in the head for 2 days, I'll come here for Q&A.

Thanks!!

Regards,

Ron

2134
Views
45
Helpful
21
Replies